How to Get User Logon Session Times from the Event Log
To figure out user session time, you’ll first need to enable three advanced audit policies; Audit Logoff, Audit Logon and Audit Other Logon/Logoff Events.
The combination of these three policies get you all of the typical logon/logoff events but also gets the workstation lock/unlock events and even RDP connect/disconnects. This ensures we get all of the session start/stop events.
When these policies are enabled in a GPO and applied to a set of computers, a few different event IDs will begin to be generated. They are:
- Logon – 4624 (Security event log)
- Logoff – 4647 (Security event log)
- Startup – 6005 (System event log)
- RDP Session Reconnect – 4778 (Security event log)
- RDP Session Disconnect – 4779 (Security event log)
- Locked – 4800 (Security event log)
- Unlocked – 4801 (Security event log)
You’ll notice the startup event. Why that one? The reason is because what if the computer’s power plug is pulled while a user is logged in? How will we know when that is. It’s not a perfect metric but it’s the only date/time we have to show when that happened.
Once we’ve got all of the IDs put together, we’ll then need to match the session start event with the very next session end event. But what if there are multiple users logging into a computer? To differentiate we can use the Logon ID field. This is a unique field for each logon session. If we can find a session start time and then look up through the event log for the next session stop time with the same Logon ID we’ve found that user’s total session time.
In this instance, you can see that the LABAdministrator account had logged in (ID 4624) on 8/27/2015 at 5:28PM with a Logon ID of 0x146FF6. I then looked up through the event log at the subsequent messages until I found a session end event (ID 4634) that showed up with the same Logon ID at 5:30PM on the same day. Knowing this Logon ID, I was then able to deduce that the LABAdministrator account had been logged on for three minutes or so.
This was just a quick demonstration of actual logon/logoff scenarios. You’ll find that when you review a computer in the “real world” you can’t always depend on logon/logoff events if you’d like to find user session durations. Multiple scenarios may come into play such as when a user locks her computer and comes back to unlock it. Perhaps she may lock her computer and the power gets cut. There will be no unlock event; only a startup event. These are the gotchas you need to watch out for to be able to accurately calculate user session history.
参考博文: